Problem 3. The Heuristic 1 (Section 4.3) used to detemine sets of public addresses owned by the same entity is based on the assumption that all inputs to a bitcoin transaction are controlled by the same entity. According to the paper, “the sender in the transaction must know the private signing key belonging to each public key used as an input, so it is unlikely that the collection of public keys are controlled by multiple entities (as these entities would need to reveal their private keys to each other).” Explain why this is not actually true. (A good answer will consider in more detail what is needed in the unlocking script to spend each input.)

1 Answer
1

Because it's possible to only partially sign a transaction (for example only one input) and then give that unfinished transaction to another party, who can then finish the transaction with their signature (for another input). Parties do not need to reveal their private keys to each other at all.

Only after all parties signed can the transaction be sent to the bitcoin network. A partially signed transaction would always be refused.

And this principle is used in CoinJoin, which is specifically designed to improve privacy by thwarting the assumption in the question.
– Pieter WuilleNov 11 '15 at 9:45

Good point! It's still a fair assumption to make, isn't it? Ie how likely could it be that the partially signed Txs are not funded with inputs from immediately related parties/stakeholders?
– Wizard Of OzzieNov 11 '15 at 9:47

@WizardOfOzzie If the transaction you are looking at is interesting enough to investigate, it's more likely that it was also more important for the sending party to try to anonymize it through CoinJoin as Pieter mentioned.
– JannesNov 11 '15 at 10:02